Information Commissioner’s Office 


Age Appropriate 
Design code 


Start date:15 April 2019 
End date: 31 May 2019 


Information Commissioner's Office 


Introduction 


The Information Commissioner is seeking feedback on her draft code of 
practice Age appropriate design - a code of practice for online services 
likely to be accessed by children (the code). 


The code will provide guidance on the design standards that the 
Commissioner will expect providers of online ‘Information Society 
Services’ (ISS), which process personal data and are likely to be accessed 
by children, to meet. 


The code is now out for public consultation and will remain open until 31 
May 2019. The Information Commissioner welcomes feedback on the 
specific questions set out below. 


Please send us your comments by 31 May 2019. 


Download this document and email to: 


ageappropriatedesign@ico.org.uk 


Print off this document and post to: 
Age Appropriate Design code consultation 
Policy Engagement Department 
Information Commissioner’s Office 
Wycliffe House 

Water Lane 

Wilmslow 

Cheshire SK9 5AF 


If you would like further information on the consultation please 
telephone 0303 123 1113 and ask to speak to the Policy 
Engagement Department about the Age Appropriate Design code or 


email_ageappropriatedesign@ico.org.uk 


Privacy statement 


For this consultation, we will publish all responses except for those where 
the respondent indicates that they are an individual acting in a private 
Capacity (e.g. a member of the public or a parent). All responses from 
organisations and individuals responding in a professional capacity (e.g. 
academics, child development experts, sole traders, child minders, 
education professionals) will be published. We will remove email 
addresses and telephone numbers from these responses but apart from 
this, we will publish them in full. 


For more information about what we do with personal data, please see 
Our privacy notice. 


Section 1: Your views 


Q1. Is the ‘About this code’ section of the code clearly communicated? 


Yes 


Q2. Is the ‘Services covered by this code’ section of the code clearly 
communicated? 


Yes 


Standards of age-appropriate design 


Please provide your views on the sections of the code covering each of 
the 16 draft standards 


1. Best interests of the child: The best interests of the child should be 
a primary consideration when you design and develop online services 
likely to be accessed by a child. 


2. Age-appropriate application: Consider the age range of your 
audience and the needs of children of different ages. Apply the standards 
in this code to all users, unless you have robust age-verification 
mechanisms to distinguish adults from children. 


3. Transparency: The privacy information you provide to users, and 
other published terms, policies and community standards, must be 
concise, prominent and in clear language suited to the age of the child. 
Provide additional specific ‘bite-sized’ explanations about how you use 
personal data at the point that use is activated. 


4. Detrimental use of data: Do not use children’s personal data in ways 
that have been shown to be detrimental to their wellbeing, or that go 
against industry codes of practice, other regulatory provisions or 
Government advice. 


5. Policies and community standards: Uphold your own published 
terms, policies and community standards (including but not limited to 
privacy policies, age restriction, behaviour rules and content policies). 


6. Default settings: Settings must be ‘high privacy’ by default (unless 
you can demonstrate a compelling reason for a different default setting, 
taking account of the best interests of the child). 


7. Data minimisation: Collect and retain only the minimum amount of 
personal data necessary to provide the elements of your service in which 
a child is actively and knowingly engaged. Give children separate choices 
over which elements they wish to activate. 


8. Data sharing: Do not disclose children’s data unless you can 
demonstrate a compelling reason to do so, taking account of the best 
interests of the child. 


9. Geolocation: Switch geolocation options off by default (unless you can 
demonstrate a compelling reason for geolocation, taking account of the 
best interests of the child), and provide an obvious sign for children when 
location tracking is active. Options which make a child’s location visible to 
others must default back to off at the end of each session. 


10. Parental controls: If you provide parental controls give the child 
age appropriate information about this. If your online service allows a 
parent or carer to monitor their child’s online activity or track their 
location, provide an obvious sign to the child when they are being 
monitored. 


11. Profiling: Switch options based on profiling off by default (unless you 
can demonstrate a compelling reason for profiling, taking account of the 
best interests of the child). Only allow profiling if you have appropriate 
measures in place to protect the child from any harmful effects (in 
particular, being fed content that is detrimental to their health or 
wellbeing). 


12. Nudge techniques: Do not use nudge techniques to lead or 
encourage children to provide unnecessary personal data, weaken or turn 
off privacy protections, or extend use. 


13. Connected toys and devices: If you provide a connected toy or 
device ensure you include effective tools to enable compliance with this 
code 


14. Online tools: Provide prominent and accessible tools to help children 
exercise their data protection rights and report concerns. 


15. Data protection impact assessments: Undertake a DPIA 
specifically to assess and mitigate risks to children who are likely to 
access your service, taking into account differing ages, capacities and 
development needs. Ensure that your DPIA builds in compliance with this 
code. 


16. Governance and accountability: Ensure you have policies and 
procedures in place which demonstrate how you comply with data 
protection obligations, including data protection training for all staff 
involved in the design and development of online services likely to be 
accessed by children. Ensure that your policies, procedures and terms of 
service demonstrate compliance with the provisions of this code 


Q3. Have we communicated our expectations for this standard clearly? 
1. Best interests of the child 


No 


The expectations for this standard are communicated clearly, but there 
would be great advantages in providing more practical guidance to 
industry on how to address this principle. Such examples are given 
elsewhere in the Code, and it would be valuable to include some here to 
help guide industry. 


Under section 15, Data Protection Impact Assessments, the Code 
suggests ways of addressing this need including, for example, 
consultation with young people, which could be referred to here. Case 
studies and examples from industry, civil society or other organisations 
would help to contextualise this, and the Code could also point to 
opportunities for working in partnership with civil society in order to help 
meet the standard. 


2. Age-appropriate application 
No 


In sections 6 and 13 of the Code, there is relevant information about 
shared devices, smart toys and non-screen internet enabled tech. Section 
2 of the Code could provide extra clarity by including references to these 
sections, and to the age-appropriate application needed to meet the 
standard as regards shared devices e.g. smart speakers. 

3. Transparency 

No 


The need to be concise and clear to cater for the needs of younger users 
when communicating about community standards is really important, and 
the guide makes this very practical. However, the Code currently makes 
no mention of children who may have specific needs in relation to the 
transparency of published terms, for instance children who are visually 
impaired, for instance, or who have special educational needs or 
disabilities. The Code should outline its expectation that online services 
consider those children with specific needs in relation to transparency. 


4. Detrimental use of data 
No 


The communication about the Standard is clear but could provide more 
context and clarity here by additionally providing a few case studies or 


examples to illustrate what it means by processing data in obviously 
detrimental ways. 


5. Policies and community standards 
No 


The communication of the standard is mostly clear, but it would help to 
provide examples in relation to the point on age restriction — is it possible 
to add some examples as to the types of systems in place that could be 
applied here? The text could also refer back to section 2 of the Code and 
could help provide extra clarity for online services to put in the most 
appropriate age identifying measures in order to uphold their own age 
restriction policies. Listing Policies and Community Standards as a 
relevant area to consider under section 2 of the code, alongside the other 
areas on p.26 could also provide further clarity. 


6. Default settings 
No 


We agree that this section is communicated clearly. If there is scope to 
provide examples of what a ‘compelling reason’ might be, that would be 
helpful. 


However, there is a clear educational opportunity which is not mentioned 
in the section on defaults, which we would want to see included here. 


Where defaults are set high, and the user acitvely selects to lower their 
settings, there is a clear timely moment and an opportunity to ensure the 
user is fully aware of the change they are making. It is important that 
online services make full use of this opportunity as users make a 
deliberate choice to change their settings, to ensure it is an informed 
choice. 

7. Data minimisation 

Yes 


8. Data sharing 
Yes 


9. Geolocation 
No 


It would be of practical use to provide some further information on what 
would constitute a compelling reason. For instance, would a mapping or 
transport app that is designed to provide users with directions and 
recommendations, have a compelling reason to use geolocation by 
default? 


If this is not a compelling reason, it would be helpful to outline what the 
expectation would look like in practice. 

10. Parental controls 

Yes 


11. Profiling 
No 


Profiling can have positive purposes, and can be tied to online 
protections. For example, if a service thinks that a user is a child, it can 
prevent them being served age-inappropriate advertising etc, or even 
have restricted sets of options available in their privacy settings. Child 
protection is mentioned briefly on p62, and is given as an example on 
p64 as a compelling argument to switch profiling. 


In this section of the Code, we would like to see examples of the positive 
uses of profiling in order to protect children and young people from harm. 
Greater clarity on the limits of this would be of practical use. 


12. Nudge techniques 
Yes 


13. Connected toys and devices 
Yes 


14. Online tools 
Yes 


15. Data protection impact assessments 
No 


The Code could provide more context by including summary wording of 
Article 12 of the UNCRC as part of Step 3 of the process around 
developing DPIAs. The UNCRC states that children have a right to be 
consulted and heard in matters affecting them. This element of Article 12 
is not currently included under section 1 of the Code (Best interests of the 
child) and would provide clarity about the rationale for the responsibility 
to consult if it was included here. 


Including this reference at this point in the Code would encourage 
business to consult with children and young people, and would provide 
more guidance to online services when considering their responsibilities 
under step 3. 

16. Governance and accountability 


Yes 


Q4. Do you have any examples that you think could be used to illustrate 
the approach we are advocating for this standard? 


1. Best interests of the child 


No 
If YES, then please provide details. 


2. Age-appropriate application 
Yes 


Education for a Connected World Framework 
https://www.gov.uk/government/publications/education-for-a-connected- 
world 


There are businesses acting in this space already taking steps to ensure 
that their online environments are age-appropriate for their users. The 
Code could support business to embed better practice by publicising 
examples such as these outside the core Code document, e.g. as case 
studies on the ICO website. 

3. Transparency 

Yes 


The average reading age in the UK is nine - reading ages are not 
mentioned in the Code and would be supportive and provide clarity here. 
PIRLS - Progress in International Reading Literacy Study 
https://www.iea.nl/pirls 


4. Detrimental use of data 


No 


5. Policies and community standards 


No 


6. Default settings: 
No 


7. Data minimisation 
Yes 


Specifically concerning the example used in the wording of the Code 
around data collection when a child is actively using the maps element: 
we would recommend not suggesting a 'light' as a possible solution. If 
this is a solution adopted widely, one unintended consequence may be 
that many children won't want to opt for this because they would be 
concerned that extra light could drain their device battery quicker. They 
would therefore choose to opt out because of their concerns around 
battery life, rather than in response to informed choices about their 
privacy and data protection. We would recommend listing an alternative 
example e.g. an icon on screen. 


8. Data sharing 
No 


9. Geolocation 
No 


10. Parental controls 
No 


11. Profiling 
No 


12. Nudge techniques 
No 


13. Connected toys and devices 
No 


14. Online tools 


No 


15. Data protection impact assessments 
No 
16. Governance and accountability 


No 


Q5. Do you think this standard gives rise to any unwarranted or 
unintended consequences? 


1. Best interests of the child 


No 


2. Age-appropriate application 
No 


3. Transparency 

No 

4. Detrimental use of data 

No 

If YES, then please provide your reasons for this view. 
5. Policies and community standards 


No 


6. Default settings 


No 


If YES, then please provide your reasons for this view. 
7. Data minimisation 
No 


If YES, then please provide your reasons for this view. 
8. Data sharing 
No 


If YES, then please provide your reasons for this view. 
9. Geolocation 
No 


If YES, then please provide your reasons for this view. 
10. Parental controls 
No 


If YES, then please provide your reasons for this view. 
11. Profiling 
No 


12. Nudge techniques 
No 


13. Connected toys and devices 
No 


14. Online tools 
No 


15. Data protection impact assessments 
No 


16. Governance and accountability 


No 


Q6. Do you envisage any feasibility challenges to online services 
delivering this standard? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

3. Transparency 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
4. Detrimental use of data 


YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

6. Default settings 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

7. Data minimisation 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

8. Data sharing 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

9. Geolocation 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


10. Parental controls 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


11. Profiling 
YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

14. Online tools 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 

15. Data protection impact assessments 

YES/NO. 


If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 
16. Governance and accountability 


YES/NO. 
If YES, then please provide details of what you think the challenges are 
and how you think they could be overcome. 


Q7. Do you think this standard requires a transition period of any longer 
than 3 months after the code come into force? 


1. Best interests of the child 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


2. Age-appropriate application 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

3. Transparency 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

4. Detrimental use of data 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


5. Policies and community standards 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

6. Default settings 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

7. Data minimisation 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


8. Data sharing 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


9. Geolocation 
YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

10. Parental controls 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

11. Profiling 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

12. Nudge techniques 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

13. Connected toys and devices 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

14. Online tools 

YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 

15. Data protection impact assessments 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


16. Governance and accountability 


YES/NO. 


If YES, then please provide your reasons for this view, and give an 
indication of what you think a reasonable transition period would be and 
why. 


Q8. Do you know of any online resources that you think could be usefully 
linked to from this section of the code? 


1. Best interests of the child 


YES/NO. 
If YES, then please provide details (including links). 


2. Age-appropriate application 
Yes 


Education for a Connected World Framework 
https://www.gov.uk/government/publications/education-for-a- 
connected-world 

3. Transparency 

YES/NO. 


IRLS - Progress in International Reading Literacy Study 
https://www.iea.nl/pirls 


4. Detrimental use of data 
Yes 


e UK Council for Internet Safety (UKCIS) 

e Internet Watch Foundation’s FC Code of Practice 

The UNCRC and forthcoming General Comment on children’s rights in 
relation to the digital environment 


e Any codes introduced following the UK Government’s Online Harms 
White Paper 


5. Policies and community standards 
YES/NO. 


If YES, then please provide details (including links). 
6. Default settings 
YES/NO. 


If YES, then please provide details (including links). 
7. Data minimisation 
YES/NO. 


If YES, then please provide details (including links). 
8. Data sharing 
YES/NO. 


If YES, then please provide details (including links). 
9. Geolocation 
YES/NO. 


If YES, then please provide details (including links). 
10. Parental controls 
YES/NO. 


If YES, then please provide details (including links). 
11. Profiling 
YES/NO. 


If YES, then please provide details (including links). 
12. Nudge techniques 
No 


If YES, then please provide details (including links). 
13. Connected toys and devices 
No 


If YES, then please provide details (including links). 
14. Online tools 
YES/NO. 


If YES, then please provide details (including links). 
15. Data protection impact assessments 
YES/NO. 


If YES, then please provide details (including links). 
16. Governance and accountability 


YES/NO. 


If YES, then please provide details (including links). 


Q9. Is the ‘Enforcement of this code’ section clearly communicated? 
YES/NO. 

If NO, then please provide your reasons for this view. 

Q10. Is the ‘Glossary’ section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q11. Are there any key terms missing from the ‘Glossary’ section? 
YES/NO. 


If YES, then please provide your reasons for this view. 


Q12. Is the ‘Annex A: Age and developmental stages’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q13. Is there any information you think needs to be changed in the 
‘Annex A: Age and developmental stages’ section of the code? 


Yes 


We suggest the following amendments to this section: 


1. Paragraph 1: text edit: "... to help you assess what is apporpriate for 
children of broadly that age, or who are working at that age." 


2. Ages 0-5: additional point: Children at this age are likely to focus on 
themselves. 


text edit: "... They have limited capacity for, or understanding of, self- 
control or ability to manage their own time online. .... or watching video 
streams. however, they are often able to use simple tech unaided." 


text edit: "... lawful basis for processing their personal data you need 
informed parental consent." 


3. Ages 6-9: additional sentence under paragraph 3: "Children at this 
age are also unlikely to have a clear understanding of the complexities 
of consent online." 


Additional sentence under paragraph 5: "They need bitesized, 
engageing content to understand important messages." 


text edit: "... lawful basis for processing their personal data you need 
informed parental consent." 


4. Ages 10-12: additional clause under paragraph 1: "... own personal 
device (pre-dominantly smartphones), and online platforms to stay in 
touch". 


Additional sentence within paragraph 5: "... tend towards impulsive 
behaviours. They are likely to perceive risk as only immediate. Parental 
or other support therefore ..." 


5. Ages 13-15: additional sentence in paragraph 3: "They may have a 
strong desire for privacy from their parents, and so therefore may 
operate multiple accounts or profiles, some of which have different 
privacy settings or sharing settings to others. 


text edit in paragraph 4: "... signposting towards sources of age- 
appropriate support, inclluding but not limited to ..." 


Ages 16-17: text edit in paragraph 1: "...cognitively and emotionally, 
and still can take lots of risks online. They should not be expected to 
have the same resilience ..." 


text edit in paragraph 3: "Signposting to other sources of age- 
appropriate support in addition to ..." 


Both sections for ages 13-15 and 16-17 need to take into account 
ensuring "active and informed consent" from young people at these 


ages, and this text should be inserted into the final paragraphs of each 
of these two sections. 


Q14. Do you know of any online resources that you think could be 
usefully linked to from the ‘Annex A: Age and developmental 
stages’ section of the code? 


Yes 


IRLS - Progress in International Reading Literacy Study 
https://www.iea.nl/pirls 


Education for a Connected World Framework 


https://www.gov.uk/government/publications/education-for-a- 
connected-world 


SEND code of practice: 0 to 25 years 
https://www.gov.uk/government/publications/send-code-of-practice-0- 
to-25 


Q15. Is the ‘Annex B: Lawful basis for processing’ section of the 
code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q16. Is this ‘Annex C: Data Protection Impact Assessments’ 
section of the code clearly communicated? 


YES/NO. 
If NO, then please provide your reasons for this view. 


Q17. Do you think any issues raised by the code would benefit from 
further (post publication) work, research or innovation? 


Yes 


There is a degree of work to be done to help frame users' expectations 
in relation to the Code, and to help build their understanding of the 
measures put in place that they might be coming across in their online 
use. 


Building a successful and thriving online world provides extraordinary 
opportunities for everyone, and user confidence and trust in the 


services they use is key here. Education for under 18s about what the 
Code means for them, will help better inform them, frame their 
expectations, and make them aware when they feel the standard has 
not been met so they can report. Awareness raising for parents, carers 
and the children's workforce will contribute towards children and young 
people's undesrtanding too, and contribute towards user confidence and 
trust, as well as informed decision-making between adults and children 
around access to online services. 


There is also scope for an impact assessment in relation to children and 
young people and their parents. It would be helpful to hear from this 
target audience, what the impact of the Code has been. This should 
focus on whether the changes have been noticeable as a result of the 
Code, what forms have been particularly noticeable, whether young 
people feel more or less confident about how data online is collected 
and used, and what options and rights they have in relation to this. It 
would also be important to ask them whether being online feels the 
same experience as it was before, what has changed for the better and 
what for the worse . 


Section 2: About you 


Are you: 


A body representing the views or interests of children? 


Please specify: 


A body representing the views or interests of parents? 
Please specify: 


Childnet International is a charity with a mission to work 
in partnership with others around the world to help make 
the internet a great and safe place for children. 


We work directly with children and young people from 
the ages of 3 to 18 on a weekly basis, as well as parents, 
carers, teachers and professionals, finding out about 
their real experiences online, and the positive things they 
are doing as well as sharing safety advice. 


A child development expert? 


Please specify: 


An Academic? 


Please specify: 


An individual acting in another professional capacity? 


Please specify: 


A provider of an ISS likely to be accessed by children? 


Please specify: 


A trade association representing ISS providers? 


Please specify: 


An individual acting in a private capacity (e.g. someone 
providing their views as a member of the public of the 
public or a parent)? 


An ICO employee? 


Other? 


Please specify: 


Thank you for responding to this consultation. 


We value your input. 


